[Python-ideas] Should our default random number generator be secure?

The question is, "what value is there in changing the default to becrypto strong to protect future security-sensitive applications fromnaive implementers vs. the costs to current users who need to rewritetheir applications to explicitly invoke the current default?"

Which is why botnets have millions of nodes. People who do websecurity evidently believe that inappropriate RNGs have something todo with widespread security issues. (That doesn't mean they're right,but it gives me pause for thought -- evidently, Guido thought so too!)

They're right. I used to be sanguine about this kind of thing becauseI spent a long time working in the defence sector, and assumedeveryone else was as professionally paranoid as we were. I've been outof that world long enough now to realise that that assumption wasdeeply, and problematically, wrong*.

In that world, you work on the following assumptions: 1) you're aninteresting target; 2) the attackers' compute capacity is nighinfinite; 3) any weakness will be found; 4) any weakness will beexploited; 5) "other weaknesses exist" isn't a reason to avoidaddressing the weaknesses you know about.

That kind of reduction in search requirements means that searches that*should* have taken almost 3000 years (in the absence of thevulnerability) can instead be completed within a day.

Weak random number generators have a similar effect of reducing thesearch space for attackers - if you know a weakly random source wasused, rather than a cryptographically secure one, then you can usewhat you know about the random number generator to favour inputs it is*likely* to have produced, rather than having to assume equalprobability for the entire search space. And if the target was using adeterministic RNG and you're able to figure out the seed that wasused? You no longer need to search at all - you can recreate the exactseries of numbers the target was using.

Moving the default random source to a CSPRNG, and allowing folks tomove a faster deterministic PRNG for known non-security related usecases, or to the system random number generator for knownsecurity-related ones is likely to prove a good way to provide saferdefaults without reducing flexibility or raising barriers to entry toomuch.

Regards,Nick.

P.S. * As a case in point, it was only a couple of years ago that Irealised most developers *haven't* read docs like the NIST cryptousage guidelines or the IEEE 802.11i WPA2 spec, and don't make a habitof even casually following the progress of block cipher and securehash function design competitions. It's been an interesting exercisefor me in learning the true meaning of "expertise is relative" :)